Old Tricks, New Face: Evolution of Phishing

Phishing, you’ve heard your IT people talk about it but you may think it’s not that relevant to you. You’d never fall for something so obvious. Chances are you’ve encountered it a lot through the phone, email, maybe even a webpage that looked suspicious. When it comes to phishing overconfidence can be a trap.

Phishing is simply tricking people into providing sensitive information with deceptive tactics. The criminals who practice it have the common motives: money, leverage, or power. Most organizations have robust technological defenses and have trained their employees in some manner to recognize phishing attempts. However this still doesn’t seem to be effective, because every year roughly 37 million users fall victim to theft via phishing. 87% of the phishing attempts are not done on email, but through the browser and malicious links. So while emails were a popular form that many are familiar with now, gaining people’s information while they are browsing the web is the most common form now.

So how did we get here? How has phishing changed in such a short amount of time. As cyber defenses get better so to do cyber criminal adaptability. So let’s take a journey and explore what has shifted and why tricks from the mid 80s are still effective to this day.

Criminal Startups (1986 – Mid 90s)

Lets consider this the startup phase for cyber criminals, where they themselves were not that sophisticated but were effective in their execution of attacks. With the rise of the internet and services like AOL in 1986, there came communities of criminal actors who plotted to steal the information of innocent internet users. They did this through generators such as AoHell where fake credit card credentials were used to gain access to the internet. From here they used the AIM messenger and often posed as customer support in order to steal data from real paying customers. In addition to posing as customer support and using AIM as a means of acquiring information, the cyber criminals also decided to also set up fake web pages as well. It took AOL a while to catch on to this activity when it was happening; however when they did they acted swiftly as shut down the accounts engaged in such malicious activity.

Take note here the tactics used: posing as customer support, fake identities, fake webpages, instant messenger. These activities have not exactly been done away with, and still work very well.

Rapid Growth (Mid 90s – Early 2000s)

During the startup period it would seem criminals were able to employ rather simple social engineering techniques to direct behaviour towards their ends. When AOL caught on the criminals essentially had to rapidly change their tactics in order to continue their shady activities. Email started gaining traction as the primary means of communication for people and organizations. This naturally attracted criminals to continue their activities in that space. This is where the famous Nigerian Prince emails came along or the emails that claimed you were the descendant of a royal line. As silly as these emails may sound, many people fell for them.

As people became more aware the emails and landing pages started changing over time to look more like something people would expect to receive. The emails started to looked like account alerts from services people were using, they looked like cries of help from family and friends. They started to look very real and this caused a surge of information theft via phishing. Each time the public caught on the more advanced the emails started to become. There was a common thread here though, the emails often had typos and design issues. People were able to tell, something was off and these glaring issues became the signs of a scam.

However, this means people got comfortable with grammatically correct emails and websites. As well as the false sense of security that came with a SSL certificate. This allowed cyber criminals to set up websites that seemed very legitimate yet were traps for stealing information. Emails got so advanced that it became hard to distinguish between official ones and fake ones.

Without a doubt this was the rapid growth period for cyber criminals. Many people to this day are still being conned by emails that look authentic. However phishing has become far more advanced now where the email technique is only used 12% of the time. The rest is browser based phishing which is more advanced than meets the eye.

Criminal Innovations (2000s -2010)

Ever wonder why you keep seeing updates for Java, Silverlight, Flash, or just for your browser. This is because they are exploitable. Using languages such as javascript cyber criminals can make a link on a page appear to say one thing and lead to another. For example this link leading to google displays a path at the bottom of your screen when you hover. However, a cyber criminal can control whatever text appears at the bottom and then have you redirect to a whole other part of the internet. These are browser exploits and also happen through flash and java. Anything can be hidden in embedded links or spaces online or in documents.

False links combined with a sophistication in replicating legitimate websites presents a very dangerous combination. For individuals and organizations alike. Imagine a scenario where an entry level employee receives an email that is a random how-to guide on offering to boost productivity. When the employee clicks the link malware is installed into the corporate network or when the employee downloads the word document malware is installed. The malware could siphon information outside your networks through the infected computer. As you can see phishing is much more sophisticated that the early criminal startup days. Now it is a dangerous combination of social engineering, visual deception, and malware that collectively make up phishing practices today. Missing those emails claiming you are royalty yet?

Masterminds (2010 – Present)

Since its inception, phishing has been something of a dragnet practice, where it targeted large groups of people with a 30% success rate. It is for this reason that it wasn’t as much of a topic in the space of cyber security until the last few decades where it became very advanced and sophisticated. In recent years, phishing has become extremely targeted able to fool even CEOs of fortune 500 companies. This targeted manifestation is called spear phishing. It is calculated, well researched, and precise. Practitioners of spear phishing carry very advanced knowledge of markets, business, and human behaviour. According to Vanson Bourne spear phishing can cost an organization up tp $1,6 Million per attack, with approximately 84% of the respondents to their survey falling victim to a target phishing attack. Target phishing attacks are also targeting “whales” which are CEOs and executive level staff for very specific information. The cyber criminals targeting CEOs are often after more than just a financial payout.

In addition to targeted phishing, angler phishing has also become much more popular. This phishing approach leverages social media and customers engaging companies on there. When a customer reaches out to a company, a similar account with customer service at the end of the name will respond and customers will reasonably provide all of their information to them. Proofpoint, in their report estimated that social brand fraud was very prevalent where 1 in 5 corporate brand accounts online were fake. Currently companies and think tanks are still trying to figure out an approach to handle angler phishing.

Staying Safe

While there is no 100% foolproof method of staying safe from phishing there are some your organization can take. Kaspersky recommends the following:

Education:When you ask the average employee about phishing their knowledge may be of its from in the early 2000s with the Prince asking for money. Instead it would be best to educate employees about what has been discussed above and how sophisticated phishing truly is right now. You can then provide best practices for your employees to use during the online.

Security SolutionEvery business right now needs to have some level of security in order to keep their data safe. Phishing is just one part of a variety of threats that organizations face everyday with the largest being insider threat. It is important to work with a security firm to customize a security solutions for your unique needs.

Stay vigilant, and remember phishing is evolving every day. Are you prepared for the next potential attack?

Isaac Kohen started his career in quantitative finance developing complex trading algorithms for a major Wall Street hedge fund. During his tenure at Wall Street and his subsequent experience securing highly sensitive data for large multi-national conglomerates, he identified the market need for a comprehensive insider threat and data loss prevention solution. And so, Teramind was born. Isaac is a well-recognized thought leader in the security industry with many of his articles published in Forbes, Inc, Tripwire, and CSO Online. Read more industry thought leadership articles on Isaac's LinkedIn.

Posts created: 209

Previous articleHere’s a Roundup of Top 2017 Malicious Cyber Attacks, So Far

Next articleYou Must Have These Top Infosec and Cyber Security Events In Your Calendar